Implementando_o_Azure_Policy_para_Governanca_e_Conformidade_de_Recursos

{ "mode": "Indexed", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions/resourceGroups" }, { "field": "tags['Environment']", "exists": "false" } ] }, "then": { "effect": "Deny" } } } ```

    * **Explanation**: This policy checks that the resource is a resource group (`Microsoft.Resources/subscriptions/resourceGroups`) and that the `Environment` tag does not exist (`exists: false`). If both conditions are true, the `Deny` effect prevents the resource group from being created or updated.
  1. Click Save.

3. Assigning the Custom Policy

Now, let's assign the policy we just created to a specific resource group.

  1. In the left navigation pane of the Policy service, under Creation, select Assignments.

  2. Click + Assign Policy.

  3. Basics:

    • Scope: Click the three dots (...) and select the subscription and resource group where you want to apply the policy (e.g. my-resource-group).
    • Policy definition: Click on the three dots (...) and look for the policy you created (Require Environment Tag on Resource Groups). Select it.
    • Assignment name: It will be filled automatically, but you can change it (ex: Attribution-Tag-Environment-RG).
    • Description: Provide a description.
    • Policy Enforcement: Keep Enabled.

  4. Click Next.

  5. Parameters: There are no parameters for this policy, click Next.

  6. Remediation: For policies with effects like DeployIfNotExists or Modify, you would configure remediation tasks here. For Deny, it is not applicable. Click Next.
  7. Non-Conforming Messages: Optionally customize the message users see when they try to create a non-conforming resource. Click Next.
  8. Review + create: Review the settings and click Create.

4. Testing the Mandatory Tagging Policy

  1. In the Azure portal, try creating a new resource group within scope of assignment (my-resource-group).
  2. When filling in the resource group details, do not add the Environment tag.

  3. Try creating the resource group.

    • Expected Result: Resource group creation should fail with an error message indicating that the Require Environment Tag on Resource Groups policy denied the operation because the Environment tag is missing.

  4. Now, try to create a new resource group and add the Environment tag with a value (ex: Environment: Development).

    • Expected Result: Resource group creation should be successful.

5. Creating an Initiative (Policy Set)

Let's create an initiative to group common security policies, such as requiring HTTPS on storage accounts and encryption on VM disks.

  1. In the left navigation pane of the Policy service, under Creation, select Initiatives.

  2. Click +Initiative Definition.

  3. Basics:

    • Definition location: Select the subscription or management group.
    • Name: Basic Security Initiative.
    • Description: Set of essential security policies for basic compliance.
    • Category: Select Use existing and choose Security.

  4. Click Next.

  5. Policies: Click + Add policy definition.

    • Look for internal policies like Storage accounts must use HTTPS only and Virtual machine disks must be encrypted.
    • Select them and click Add.

  6. Initiative Parameters: If the added policies have parameters, you can configure them here. Click Next.

  7. Review + create: Review the settings and click Create.

6. Assigning the Initiative

Assign the security initiative to an entire subscription to ensure that all policies within it are applied.

  1. In the left navigation pane of the Policy service, under Creation, select Assignments.

  2. Click + Assign initiative.

  3. Basics:

    • Scope: Select the entire subscription.
    • Initiative: Search for Basic Security Initiative and select it.
    • Assignment name: Serwill be filled in automatically.
    • Policy Enforcement: Keep Enabled.

  4. Click Next.

  5. Parameters: Configure any parameters defined in the initiative. Click Next.

  6. Remediation: For Audit policies, you can create a remediation task to fix non-compliant resources. For Deny, it is not applicable. Click Next.
  7. Non-compliance messages: Optionally, customize messages. Click Next.
  8. Review + create: Review the settings and click Create.

7. Reviewing Compliance

After assignment, Azure Policy takes some time to evaluate existing resources and report compliance.

  1. In the left navigation pane of the Policy service, under Authoring, select Compliance.

  2. You will see a compliance dashboard showing the overall compliance status of your policy and initiative assignments.

  3. Click an assignment to see details, including which resources are compliant and which are not. You can filter by Conformance Status to see only non-compliant resources.

  4. For resources that do not comply with DeployIfNotExists or Modify policies, you can create a remediation task to automatically fix these resources.

    • On the assignment details page, click Create remediation task.
    • Select the policy you want to remediate and click Remediate.

Security Tips and Best Practices

  • Start with Audit: When implementing new policies, start with the Audit effect to understand the impact and identify non-compliant resources without blocking operations. After validating, change it to Deny or Modify/DeployIfNotExists.
  • Appropriate Scope: Assign policies at the highest possible scope (management group or subscription) and use exclusions for lower scopes when necessary. This ensures broad and consistent coverage.
  • Use Initiatives: Group related policies into initiatives to simplify management and ensure a complete set of rules are applied.
  • Naming Conventions: Use clear and consistent naming conventions for policy definitions, initiatives, and assignments for easier identification and management.
  • Version Control: Store your custom policy definitions in a version control system (e.g. Git) to track changes, collaborate, and facilitate automated deployment.
  • Continuous Monitoring: Monitor the Azure Policy compliance dashboard regularly. Configure alerts for critical nonconformities.
  • Integration with Azure DevOps/GitHub Actions: Automate policy deployment using CI/CD pipelines to ensure policies are applied in a consistent and traceable manner.
  • Documentation: Maintain clear documentation of your policies, their objectives, effects and any exceptions.

Common Troubleshooting

  • Resource improperly blocked:
    • Check the activity logs in Azure Monitor to see which policy denied the operation. The error usually includes the policy name.
    • Review the policy definition and assignment to ensure the conditions and scope are correct.
    • Consider using an exclusion for the specific resource or group of resources if blocking is intentional.
  • Non-conforming resource is not being detected:
    • Verify that the policy is assigned to the correct scope and that enforcement is Enabled.
    • Ensure that the policy definition is correct and that the conditions are evaluating to true for the non-conforming resource.
    • It may take up to 30 minutes for policy changes to propagate and for compliance reports to update.
  • Remediation tasks fail:
    • Check the remediation task logs to identify the error.
    • Ensure that the managed identity assigned to the policy role has the necessary permissions to modify resources.
    • The DeployIfNotExists or Modify policy may have an error in the deployment model or modify operation.
  • Policy does not apply to existing resources:
    • Policies with effect Deny or Audit evaluate existing and new resources. Policies with DeployIfNotExists and Modify require a remediation task for colorfix existing resources or only act on new creations/updates.
  • Policy conflicts: If multiple policies apply to the same resource, the policy with the most restrictive effect usually prevails (e.g. Deny over Audit). Review assignments and scope.

Conclusion

Azure Policy is a fundamental tool for any organization looking to establish effective governance and ensure compliance of its resources in the Azure cloud. By enabling automation of rule enforcement, from resource tagging to critical security configurations, Azure Policy helps maintain order, reduce risk, and optimize costs in complex, constantly evolving environments. The ability to create custom policies and group them into initiatives provides flexibility to meet specific business and regulatory requirements. With this practical guide, security professionals and IT administrators will be well-equipped to configure, validate, and manage Azure Policy, building a solid foundation for a secure and compliant cloud governance strategy.

References:

[1] Microsoft Learn. What is Azure Policy?. Available at: https://learn.microsoft.com/pt-br/azure/governance/policy/overview [2] Microsoft Learn. Tutorial: Create and manage policies to enforce compliance. Available at: https://learn.microsoft.com/pt-br/azure/governance/policy/tutorials/create-and-manage [3] Microsoft Learn. Azure Policy permissions in Azure RBAC. Available at: https://learn.microsoft.com/pt-br/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy [4] Microsoft Learn. Azure Policy definition framework. Available at: https://learn.microsoft.com/pt-br/azure/governance/policy/concepts/definition-structure [5] Microsoft Learn. Azure Policy initiative definition framework. Available at: https://learn.microsoft.com/pt-br/azure/governance/policy/concepts/initiative-definition-structure [6] Microsoft Learn. Tutorial: Create a custom policy definition. Available at: https://learn.microsoft.com/pt-br/azure/governance/policy/tutorials/create-custom-policy-definition [7] Microsoft Learn. How to remediate non-Azure Policy compliant resources. Available at: https://learn.microsoft.com/pt-br/azure/governance/policy/how-to/remediate-resources